Adding Users to AD LDS (ADAM) Readers Role
There are three default Roles (groups) in an application partition in an AD LDS (ADAM) instance:
Let’s look the permissions of the Readers role (the application partition here is o=msft) using the Security UI in ldp.exe:
or using dsacls.exe:
The Readers role is empty by default, individual users or groups within AD LDS can be added by distinguishedName to the member attribute of the group.
The following ldf adds (nests) the Users role in AD LDS into the Readers role:
placed in a file UserstoReaders.ldf and imported with
ldifde -i -f UserstoReaders.ldf -s localhost:389
from a command prompt on the AD LDS instance with the instance running on port 389.
As a result all AD LDS users would have Readers permission on the instance.
If we want to allow Windows/Domain users that can authenticate to the AD LDS instance to have Readers permissions then we can add the security identifier for Authenticated Users (SID: S-1-5-11) to the group as with the following ldf
The Base64 encoding of the member attribute is explained here.